Privacy & Data Security Bills After the Midterm Elections

The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the current ambitious privacy and data security legislative agenda. Rimon Washington D.C. Data Privacy, Security & Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security.

Court Rules Twitter Libel is Stale, and Neither Ripe Nor Moldy

Back in July, Legal Bytes posted a report (Landlord Can’t Let Tweet sMOLDer) about a Twitter "tweet" posted by Amanda Bonnen, that contained the following statement: "Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it’s OK."

Back then we told you that Horizon Group Management, the landlord of the apartment building involved, filed suit in a Cook County Illinois Court for libel, alleging that it was a "malicious and defamatory" tweet about the state of her apartment. 

Well this past Wednesday (Jan. 20, 2010), Cook County Circuit Court Judge Diane J. Larsen dismissed the suit, and Ms. Bonnen’s attorney indicated the judge described the posting as too vague to constitute libel under the legal tests applicable to such a claim.

To support a claim of libel, Horizon would have had to show that Ms. Bonnen wasn’t merely offering her opinion, that the statement must be reasonably understood by everyone to refer to the specific entity—in this case, this particular Horizon realty company—and that there was actual harm that can be proved, flowing from the statement. The fact that the statement was made on Twitter, and consequently widely available across the Internet, doesn’t change the standard one must meet to prove libel, and the judge dismissed the case. 

As you can guess, these aren’t the only cases involving defamation in the context of social media. For example, the action against Courtney Love, wife of the late Kurt Cobain, is alive and well. You might recall that case arose when a fashion designer claimed Ms. Love tweeted that the designer was a drug addict, a prostitute and called her a "lying hosebag thief." As we reported in Legal Bytes this past August (Court Orders Google to Turn Over Blogger Identity Information), cases of defamation become even more complex when the identity of the actual "tweeter" is hidden behind a pseudonym.

These cases all hinge upon the friction created by social interaction. Defamation is not a new concept, and whether broadcast over radio waves or propagated across the web, it should come as no surprise that when human beings populate the borderless universe of cyberspace, these interactions can give rise to legal actions. The laws that apply to publicity, privacy, libel, deceptive advertising, unfair competition and intellectual property may need to be applied or viewed differently, but they don’t disappear simply because the content is digital. Need to know more? Contact me, Joseph I. Rosenbaum, or any Rimon attorney with whom you regularly work.

Court Orders Google to Turn Over Blogger Identity Information

Earlier this week, New York State Supreme Court Judge Joan Madden ordered Google to turn over account information about an anonymous blogger to model Liskula Cohen in order to enable her to pursue a claim of defamation. The blogger had used Google’s blogging service to create a blog entitled “Skanks in NYC,” and had posted pictures and references to the model that were anything but flattering, and which, she claimed, lost potential opportunities for her. When Ms. Cohen originally sought to find out who had posted the content, predictably Google resisted, maintaining that its privacy policy does not permit the disclosure of the blogger’s account information.

To put this in perspective, the protection of free speech—especially anonymous speech—is a concept in American jurisprudence and history that traces its roots to Thomas Payne’s pamphlet, Common Sense. First published in 1776, it anonymously challenged the authority of Great Britain in the New World and is widely regarded as the first work to openly ask for independence for the Colonies from Britain.

Since then, state courts have varied on just how wide those rights go and for what purposes protection is appropriate. Although I am hardly a First Amendment lawyer or a Constitutional scholar, the legal issue still seems simple. If the speaker—anonymous or not—is expressing ideas or an opinion or belief, he or she is more likely to enjoy protection. While there are limitations on freedom of expression (e.g., yelling “fire” in a crowded theater), political expression has typically enjoyed greater protection than “commercial” speech—one being fundamental to a society’s encouragement of the free flow of ideas, the other designed to promote a product, service or brand in a free market economy. On the other side of the spectrum and generally not protected, would be public expressions that are clearly and solely intended to hurt someone, where actual harm can be shown from intentional or malicious public expression or, as was determined by the New York court here, where an illegal act was or was likely to have been committed—in this case, defamation.

While it is difficult to pinpoint a single factor that will always favor protection, anonymity is a strong legal shield U.S. jurisprudence holds dear to protect individuals from the potential swords of those in power, or from anyone who might seek to stifle dissent or ideas that might be unpopular. For example, in 2005, a blogger who ranted against a politician, accusing him of “obvious mental deterioration,” was ultimately protected by the Delaware Supreme Court expressing concern over the potential “chilling effect” on anonymous speech. The blogger in this case was referring to a politician, and the court ruled that in order to justify revealing the identity of an anonymous blogger, the plaintiff must provide evidence sufficient to all the elements of the claim if the case were to go to trial. Because the court concluded no reasonable person would believe the blogger’s statements to be factual, no action for defamation could be sustained, and the court dismissed the case. You can read the Delaware Supreme Court’s decision in full right here, but clearly for bloggers, this represented a significant landmark and affirmation of the substantial protection afforded anonymous posting.

In a subsequent 2008 case, a Maryland Court of Appeals decision (Independent Newspapers, Inc. v. Zebulon J. Brodie) similarly concluded that anonymous posts should be protected, and set out an approach first detailed in a New Jersey case (Dendrite Int’l, Inc. v. John Doe No. 3) describing the steps judges should take in deciding whether to compel disclosure of anonymous online speakers in cases that come along in the future.

Unlike the previous cases, and potentially distinguishing this case, is the fact that the blogger here targeted Ms. Cohen intentionally, exclusively, and individually; and while the defendant argued the postings were just “trash talk” and only opinion, Judge Madden noted that if Ms. Cohen could prove the blogger’s statements were factually inaccurate, it would refute the argument that the posts were merely opinion and would support a legal claim of defamation.

As we have previously noted in Legal Bytes in articles describing the FTC’s efforts to regulate the blogosphere, and in presentations we have made, it is clear that online speech is coming under increased scrutiny, and that regulators and courts appear to nibbling away at the virtually complete immunity anonymous bloggers once seemed to enjoy, seeking to define the contours of what is or is not permissible conduct on the web. Does anyone remember the term “netiquette”?

For more information, or for assistance with issues like these or any social media, online, digital content, gaming or matters that meet at the crossroads of advertising, technology & media, look up Joseph I. Rosenbaum, send me an email, or contact the Rimon attorney with whom you regularly work. We are happy to help.

Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles

A group of the nation’s largest media and marketing trade associations today released self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and websites to clearly inform consumers about data collection practices, and enable them to exercise control over that information.

In an extraordinary show of industry cooperation and collaboration, the American Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau last week released a series of self-regulatory principles, intended to be implemented by 2010 and designed to protect consumer privacy in advertising-supported interactive media. As part of the announcement, the Council of Better Business Bureaus along with the DMA, has agreed to implement accountability programs relative to these principles.

These self-regulatory guidelines come on the heels of a recently released study commissioned by the IAB entitled “Economic Value of the Advertising-Supported Internet Ecosystem,” which reported that the advertising-supported Internet represents 2.1 percent of the total U.S. gross domestic product (GDP), contributing $300 billion to the economy, and has created 3.1 million U.S. jobs.

“Guided by the seven Principles we have announced today, the advertising community is developing one of the most comprehensive self-regulatory programs ever undertaken by the business community. The fast-changing online marketing environment is best addressed by a self-regulatory framework that is transparent, flexible and accountable to consumers’ needs and concerns. On behalf of our 360 members, who collectively invest more than $200 billion annually in marketing communications, we look forward to jointly developing a comprehensive business system that respects and honors these Principles,” said Bob Liodice, President and CEO, (ANA).

“This historic collaboration represents businesses and trade associations working together to advance the public interest,” said Randall Rothenberg, President and CEO, IAB. “Although consumers have registered few if any complaints about Internet privacy, surveys show they are concerned about their privacy. We are acting early and aggressively on their concerns, to reinforce their trust in this vital medium that contributes so significantly to the U.S. economy.”

The seven Principles designed to address consumer concerns about use of personal information without wreaking havoc to advertising that subsidizes and supports the vast array of free online content relate to:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

We will be highlighting each of these principles separately in Legal Bytes over the weeks ahead, but if you would like to read the “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link.

Give Credit (Card), No Give a Gift (Card)! Why Not Give Both?

Although consumer credit regulation is hardly new – Regulation E, the Fair Credit Reporting Act, Regulation Z and laws regulating disclosures, debt collection practices, billing statements and the like have been around for decades – for the first time in U.S. history, Federal legislation is tackling pricing, rate modifications, advertising disclosures and fees, and adding a gift card angle as well. 

While the House has not yet passed this or any other version of the legislation, those in the know believe a similar, if not identical, bill will be approved by the House of Representatives and that the President is likely to sign it. 

Are you a bank, payment card association, credit union or financial institution that issues credit cards or gift cards? Here are highlights of the bill that passed the Senate:

  • When marketing, a card issuer would not be permitted to increase any advertised ‘teaser’ rates for at least a year after a new account was opened for the consumer, and promotional rates advertised to consumers must remain in effect for at least six month;
  • Unless the credit-issuing institution can get proof that anyone under 21 can actually repay their credit card debt, credit cards can only be issued to individuals under the age of 21 if a parent, legal guardian or guarantor agrees in writing to be responsible for the debts;
  • If a consumer pays more than the minimum balance due, the excess must be applied to the balance with the highest interest rate;
  • Card issuers will not be allowed to change rates retroactively on existing balances (there is an exception where the consumer is past due by 60 days – which, I guess, presumes that when a consumer can’t afford to pay their balance within 60 days, it’s ok to raise their rates since they probably won’t be able to afford to pay a higher rate either);
  • Bills for balances due must be sent at least three weeks (21 days) before their due date;
  • Card issuers will no longer be able to charge additional fees to consumers for alternate payment mechanisms (e.g., by mail, telephone, online, electronic, wire transfers), unless the consumer requests and the issuer offers some type of ‘expedited’ service;
  • Consumers must be asked if they want to allow ‘over-limit’ credit transactions and if they do not affirmatively consent, the card issuer will not be permitted to charge a fee if the issuer still authorizes the transaction (e.g., your credit limit is $1,000 and you charge something for $1,001 and the authorization system approves the transaction anyway);
  • Changes in the terms and conditions that apply to consumer cardholders will require at least 45 days’ notice; and
  • The minimum amount of time a gift card must remain valid for use will be 5 years. First, it is likely this will apply to gift cards that are consumer-oriented and where full value is paid, and not to discounted, bulk sales, non-consumer, incentive, employer or promotional gift cards – but then the legislation isn’t final yet, is it? Furthermore, the Federal legislation is not likely to preempt more consumer-friendly State law (e.g., California prohibits any expiration date on such gift cards), but it will place a minimum level of consumer protection against earlier expiration, even in States that have no applicable regulation.

There is also consideration being given to removing any current legal and contractual restrictions on merchants that would allow them to differentially price their products and services based on the incremental costs (or savings) of accepting different forms of payment. When credit and debit cards were scarce and cash was king (cash, as in ‘currency’), regulation and industry groups frowned upon differential pricing, arguing that allowing a merchant to charge more for the use of a credit card was discriminatory to the consumer – even though the cost of accepting such payment instruments was higher (the merchant pays a fee (discount rate) to the card-issuing enterprise for the privilege of accepting the particular brand of card). Furthermore, the growth of corporate and purchasing cards and the use of payment instruments in B2B transactions has resulted in situations where a manufacturer accepts a purchasing card (procurement-based credit card) in payment of sales to distributors, wholesalers and retailers – a fee is charged to the manufacturer for the card transaction. This chain continues until a consumer makes a retail purchase, and if any or all of these transactions involve branded payment instruments and not cash, travelers’ checks, bearer bonds or two goats and a chicken, today, a fee would most likely accrue on each payment-card transaction at each step of the way . . . significantly raising the cost to everyone and ultimately the consumer. Stay tuned.

So: Consumer Credit? Co-branded promotions? Loyalty Rewards Programs? Gift Cards? Premiums and Incentives? Retail Promotions? Payment Card Industry (PCI) Data Security Standards? Privacy & Data Protection? Identity Theft? Data Breach? Pre-Screening? Online Digital Payment Systems? Corporate Cards? Purchasing Cards? E-Commerce? Regulation E? Regulation Z? Statement Insert Advertising; Credit/Demographic Market Segmentation? Free? APR? Limited Time Offer?

Any of these sound familiar? It’s what we do? Our Advertising Technology & Media Law Group; our Financial Institutions Group; our Data Security and Identity Theft Group . . . need we say more . . . If you need help (or you are just over stimulated by the flurry of legislation, regulation and excitement), call us or email me at joseph.rosenbaum@rimonlaw.com. We can help.

Transborder Transfers of Data Outside Europe Need New Rules

The European Commission established a Data Protection Working Party on data protection and privacy—an independent advisory body set up under the Data Protection Directive. This Working Party recently published an opinion relating to the EC’s draft standard contract terms that apply to the movement of data across national borders, notably between Member States within and outside of the EU. 

Specifically, the Working Party recommended that the Commission develop brand new model contract provisions to deal with international and multi-national data processing involving transfers of data outside the EC—a long-standing sore point among companies in countries that have historically been viewed as having "inadequate" privacy and data protections. These model or standard contract terms would establish acceptable contractual protections between entities that control data within the European Union/European Economic Area (EU/EEA) and data processors they use outside the European Community, to ensure protections are comparable.

Continue reading “Transborder Transfers of Data Outside Europe Need New Rules”

Digital Dilemma – How To Respond When Law Enforcement Knocks

The SEC shows up at your door asking for documents relating to options and securities granted for the past 10 years. Homeland Security Officers arrive at your plant asking to speak to several employees and asking for copies of employment records. State police, having confiscated laptop computers and CD-ROM files during a drug bust, show up at your door asking to compare database records since they suspect that identity theft or credit card fraud may be afoot. The Department of Justice wants to interview several of your employees, claiming some may have entered the United States on non-immigrant visas. Sound far-fetched? Probably not these days.

With the economy in turmoil, corporate officers on the defensive, immigration under attack, and money laundering, piracy, drugs, terrorism and Ponzi schemes making headlines almost every day, law enforcement and regulatory officials are under increasing scrutiny and increasing pressure to protect the public and get results. It doesn’t take much imagination to appreciate that during the course of a criminal investigation, the most compelling evidence often arises from third parties who aren’t even knowingly involved; airline, credit card, hotel, telephone, email and other records can often document the where, when and sometimes how of criminal activity.

From a civil law point of view, competitive pressures can lead to claims of economic espionage and theft of trade secrets, and antitrust issues can arise that will spawn litigation and the compelled disclosure of evidence. Indeed, any corporate executive or corporate lawyer who has ever been on the receiving end of a third party subpoena issued to them—innocent third parties—knows how burdensome and costly such requests for evidence can be, even if you aren’t a party to the lawsuit.

In a digital world, it is also far too easy to collect, maintain and copy vast amounts of information—information accessible with several keystrokes, available on easily transportable magnetic media. For corporations and their executives and managers, growing and often regular dilemmas must be confronted when law enforcement or regulators show up at the door and start asking questions or requesting information. Corporations have legal obligations involving compliance and cooperation with law enforcement and regulatory officials. But they also have responsibilities and legal obligations to their employees and their workplaces—and to their shareholders. If not done properly, cooperating with law enforcement and regulators can lead to lawsuits by employees, customers and, sometimes—if large amounts of time and money are expended because of improper or inadequate procedures—even shareholders. 

Continue reading “Digital Dilemma – How To Respond When Law Enforcement Knocks”

France: Online Ads Could Lead to User Data ‘Merchandising’

In a report entitled “Targeted Online Advertising” (La Publicité Ciblée en Ligne), presented in February and recently released publicly, the French data protection regulatory authority (CNIL) has expressed concern that targeted online advertising could be a conduit for the merchandising of personally identifiable information about online users. 

The CNIL has been examining context-sensitive, behavioral marketing and targeted advertising mechanisms online, and is concerned about privacy implications. The report notes that analyzing online user data for the purpose of serving more relevant advertising involves the collection of Internet protocol addresses, what websites a user arrived from or subsequently visited, and even key words entered by the user. In case you haven’t thought about it, definitions are hardly uniform in laws and regulations around the world, i.e., an IP address is considered personal data in the EU, but is not personally identifiable information in the United States. 

The report raises an alarm over what could be a means of “systematic profiling” and examines what it believes are growing risks to privacy in this context. In France, and many jurisdictions, targeted advertising must comply with the same data protection rules that apply to the use of personal data online. The French authorities have consistently maintained that users should be specifically informed about how their data will be used, and should be given the opportunity to opt out of these uses—even if it means they can no longer use the services available on the site.

The report also specifically notes that many free services on the Internet are actually subsidized by advertising. While “free” is an accurate financial description in a literal sense, consumers often don’t appreciate they are actually paying a “price”—the value of personal information provided in exchange for “free” services they receive online. 

While the report does not attempt to cover mobile or wireless advertising broadly, it does note that adding information about a user’s location through GPS and other technology, adds tracking capability that the CNIL fears will allow for even greater intrusion and profiling of individual behavior. You can read the entire CNIL report in French on their website at “La publicité ciblée en ligne” (Targeted Online Advertising).

FTC Testimonial and Endorsement Guides Stimulate Industry Comment

Rimon acts as counsel to many of the advertising industry’s leading trade and membership associations – The Association of National Advertisers, The Word of Mouth Marketing Association, the Interactive Advertising Bureau, to name only a few. As you may have notices, a recent Legal Bytes blog post noted that just last month the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report.

Well the FTC has been busy in re-examining it’s policies regarding testimonials and endorsements in this digital age. As previously reported in Legal Bytes, the FTC indicated it was revising it’s Testimonial and Endorsement Guides (the first time since the 1980s). Well comments have now been submitted and we strongly recommend that anyone in the advertising and marketing business take a look at some of them. In fact, to help you, Legal Bytes has a couple you can look at right now – Comments for The Association of National Advertisers and Comments for The Word of Mouth Marketing Association – and when you finish reading them ask yourself:

  • Now that public comments are in, what do we think will happen?
  • What is in front of the FTC that might affect its decision making?
  • How would self-regulation differ from the way the FTC has been operating?
  • What does the new FTC Chairman think about self-regulation?
  • Do we expect the new administration to shift direction? If so, which way?
  • How is all this likely to affect advertising and marketing using product placements, branded entertainment, blogs, consumer generated content, buzz, viral and word of mouth marketing?

If you need to know, you need to contact John Feldman, Douglas Wood or Joseph Rosenbaum – or your favorite Rimon attorney – who will be more than happy to help you.

Behave Yourself – FTC Behavioral Ad Guidelines Promote Self Regulation, BUT . . .

FTC Releases Revised Ad Guidelines: Are New Marketing Practices in Your Wallet?

On February 12, 2009, the FTC supplemented its December 2007 “Self-Regulatory Principles for Online Behavioral Advertising” report, highlighting the FTC’s voluntary best practices for the behavioral advertising industry. While continuing to support self-regulation, that should not be taken as a vote of confidence for continuing the status quo. Change is in the air and you may well need to:

  • develop more consumer education concerning behavioral advertising;
  • develop internal privacy protections for anonymous data profiles;
  • create opt-in notice mechanisms for collection of sensitive information; and
  • create opt-in notice mechanisms for retroactive changes to privacy practices.

. . . and if you think your privacy policies are ok, as is, think again. The FTC has taken a broad brush to paint a picture of what it considers personally identifiable information (PII) and what ‘sharing’ of that information may require. Our experts Amy S. Mushahwar and John P. Feldman have written an alert that describes what you need to know in more detail. To read the full alert, with links to the FTC releases, click here.